https://community.netapp.com/t5/ONTAP-Discussions/LDAP/m-p/109955#M23237 <P>We are having a slight problem with group permissions on shared CIFS volumes. We are using LDAP for authenication for our Linux users, but we also use Windows machines and want to allow acces to shared resources eg project directories (qtrees with security style unix on the NetApp)</P><P>&nbsp;</P><P>The userid mapping between Linux and Windows works fine, as below</P><P><STRONG>diag secd authentication show-creds -node netapp1 -vserver svm_nas_04 -unix-user-name marg</STRONG></P><P><STRONG>UNIX UID: marg &lt;&gt; Windows User: AD\marg (Domain User)</STRONG></P><P>&nbsp;</P><P>If we have a qtree, shared as a project directory psa<BR /><STRONG>92305782 drwxrws--- 18 ad67 psa 4096 Aug 14 10:26 psa</STRONG></P><P><BR />The user ad67 should have access to it, along with any member of the psa user group. This all works correctly with Linux, but in Windows the user marg (a member of the psa user group) is denied access</P><P>In the secd log :</P><P>&nbsp;</P><P>00000011.00459fd7 03f88bde Thu Sep 10 2015 13:30:22 +01:00 [kern_secd:info:4225] | [000.006.633] debug: Searching LDAP for the "uid" attribute(s) within base "ou=People,dc=nisdb,dc=ourdom" (scope: 2) using filter: (&amp;(objectClass=posixAccount)(<FONT color="#FF0000">windowsAccount=ad\5cmarg)</FONT>) { in searchLdap() at utils/secd_ldap_utils.cpp:280 }</P><P>00000011.00459fd8 03f88bde Thu Sep 10 2015 13:30:22 +01:00 [kern_secd:info:4225] | [000.008.445] debug: Could not find IDs for local unix user marg for vserver 7 { in getIdsFromUserName() at authorization/secd_local_unix_authorization.cpp:154 }</P><P>&nbsp;</P><P>So NetApp is using the LDAP attibute 'windowsAccount' to authenicate even though the security style is set to unix, whhich is suprising, but explains why authenication fails as our</P><P>OpenLDAP schema does not include the windowsAccount attribute</P><P>&nbsp;</P><P>On our NetApp it is part of the scema</P><P>&nbsp;</P><P><STRONG>services ldap client schema show -vserver svm_nas_04 -instance -schema OUR-TEMPLATE</STRONG></P><P>Vserver: svm_nas_04<BR />Schema Template: OUR-TEMPLATE<BR />Comment:<BR />&lt;snip&gt;<BR /><FONT face="courier new,courier">&nbsp;&nbsp;&nbsp; RFC 2307 nisNetgroupTriple Attribute: nisNetgroupTriple</FONT><BR /><FONT face="courier new,courier">&nbsp;&nbsp; ONTAP Name Mapping windowsAccount Attribute: <FONT color="#FF0000">windowsAccount</FONT></FONT><BR /><FONT face="courier new,courier">&nbsp;&nbsp;&nbsp; Vserver Owns Schema: false</FONT><BR />&lt;snip&gt;</P><P>&nbsp;</P><P>So, if we added this attribute to our LDAP schema, and we populate it this should work (I think).</P><P>My questions are;</P><P><BR /><STRONG>1) Have I missed anything.</STRONG></P><P><STRONG>2) Can NetApps LDAP query be set to use </STRONG><BR /><STRONG><FONT color="#0000FF">(&amp;(objectClass=posixAccount)(uid=marg))</FONT></STRONG><BR /><STRONG>or</STRONG><BR /><STRONG><FONT color="#0000FF">(&amp;(objectClass=posixAccount)(uidNumber=10400))</FONT></STRONG><BR /><STRONG>as query strings</STRONG></P><P><STRONG>3) Where can we get a template definition of the windowsAccount attribute.</STRONG></P><P>&nbsp;</P> Wed, 04 Jun 2025 23:16:29 GMT TJSTEWATE4 2025-06-04T23:16:29Z https://community.netapp.com/t5/ONTAP-Discussions/LDAP/m-p/109955#M23237 <P>We are having a slight problem with group permissions on shared CIFS volumes. We are using LDAP for authenication for our Linux users, but we also use Windows machines and want to allow acces to shared resources eg project directories (qtrees with security style unix on the NetApp)</P><P>&nbsp;</P><P>The userid mapping between Linux and Windows works fine, as below</P><P><STRONG>diag secd authentication show-creds -node netapp1 -vserver svm_nas_04 -unix-user-name marg</STRONG></P><P><STRONG>UNIX UID: marg &lt;&gt; Windows User: AD\marg (Domain User)</STRONG></P><P>&nbsp;</P><P>If we have a qtree, shared as a project directory psa<BR /><STRONG>92305782 drwxrws--- 18 ad67 psa 4096 Aug 14 10:26 psa</STRONG></P><P><BR />The user ad67 should have access to it, along with any member of the psa user group. This all works correctly with Linux, but in Windows the user marg (a member of the psa user group) is denied access</P><P>In the secd log :</P><P>&nbsp;</P><P>00000011.00459fd7 03f88bde Thu Sep 10 2015 13:30:22 +01:00 [kern_secd:info:4225] | [000.006.633] debug: Searching LDAP for the "uid" attribute(s) within base "ou=People,dc=nisdb,dc=ourdom" (scope: 2) using filter: (&amp;(objectClass=posixAccount)(<FONT color="#FF0000">windowsAccount=ad\5cmarg)</FONT>) { in searchLdap() at utils/secd_ldap_utils.cpp:280 }</P><P>00000011.00459fd8 03f88bde Thu Sep 10 2015 13:30:22 +01:00 [kern_secd:info:4225] | [000.008.445] debug: Could not find IDs for local unix user marg for vserver 7 { in getIdsFromUserName() at authorization/secd_local_unix_authorization.cpp:154 }</P><P>&nbsp;</P><P>So NetApp is using the LDAP attibute 'windowsAccount' to authenicate even though the security style is set to unix, whhich is suprising, but explains why authenication fails as our</P><P>OpenLDAP schema does not include the windowsAccount attribute</P><P>&nbsp;</P><P>On our NetApp it is part of the scema</P><P>&nbsp;</P><P><STRONG>services ldap client schema show -vserver svm_nas_04 -instance -schema OUR-TEMPLATE</STRONG></P><P>Vserver: svm_nas_04<BR />Schema Template: OUR-TEMPLATE<BR />Comment:<BR />&lt;snip&gt;<BR /><FONT face="courier new,courier">&nbsp;&nbsp;&nbsp; RFC 2307 nisNetgroupTriple Attribute: nisNetgroupTriple</FONT><BR /><FONT face="courier new,courier">&nbsp;&nbsp; ONTAP Name Mapping windowsAccount Attribute: <FONT color="#FF0000">windowsAccount</FONT></FONT><BR /><FONT face="courier new,courier">&nbsp;&nbsp;&nbsp; Vserver Owns Schema: false</FONT><BR />&lt;snip&gt;</P><P>&nbsp;</P><P>So, if we added this attribute to our LDAP schema, and we populate it this should work (I think).</P><P>My questions are;</P><P><BR /><STRONG>1) Have I missed anything.</STRONG></P><P><STRONG>2) Can NetApps LDAP query be set to use </STRONG><BR /><STRONG><FONT color="#0000FF">(&amp;(objectClass=posixAccount)(uid=marg))</FONT></STRONG><BR /><STRONG>or</STRONG><BR /><STRONG><FONT color="#0000FF">(&amp;(objectClass=posixAccount)(uidNumber=10400))</FONT></STRONG><BR /><STRONG>as query strings</STRONG></P><P><STRONG>3) Where can we get a template definition of the windowsAccount attribute.</STRONG></P><P>&nbsp;</P> Wed, 04 Jun 2025 23:16:29 GMT https://community.netapp.com/t5/ONTAP-Discussions/LDAP/m-p/109955#M23237 TJSTEWATE4 2025-06-04T23:16:29Z